Security

Reply
Super Contributor II

ClearPass GUEST with high latency cluster

Hi,

 

I have been working to get our new CPPM server up running. This new server is located in a remote office which has a latency of around 300ms+. It has been joined to our existing cluster.

 

I am curious about the topology of how ClearPass Guest works in this scenario.

We have a captive portal that is being hosted from the CPPM.

The guest network in our remote office is setup to connect back to the publisher ClearPass and not the local subscriber. The registration of the guest accounts all occurs against the publisher. The authentication though occurs against the local subscriber. This is where I am running into issues. It seems that the subsciber node is not able to sync the data in time and I am left with a message stating that the user does not exist in the Guest Repository.

 

I am just curious about what the proper setup is for this scenario? I feel like I am missing the boat when it comes to how the ClearPass Guest should be structured. As well as in general. the latency has presenting challenges I didn't expect.

 

I was thinking that for the Captive Portal configuration instead of pointing it at the CPPM in the local site I would point it to the publisher. Is this the correct way to handle this? Or am I completely out to lunch?

Aruba Employee

Re: ClearPass GUEST with high latency cluster

Take a look at the ClearPass Deployment Guide. It has specific recommendations. Check the section on Cluster Design Considerations.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm#5%20Cluster%20Deployment/Design_guidelines.htm

 

 

Super Contributor II

Re: ClearPass GUEST with high latency cluster

Thank you for your reply.

 

I read over the document.

Everything for the most part makes sense.

we are definitely experiencing issues with the latency.

The way our Guest is setup is correct, but because of the replication delays we run into issues.

 

The geographical zoning configuration sounds like something we may need to implement. However, I do have some concerns about the runtime data that isn't synchronized. The document explicitly mentions that the endpoints db information isn't. We do have users that travel between the locations on regular basis and it would be handy to have this data present in our remote locations.

 

I believe that the major issue is related to the link we have to our remote location. It is very small, well under what is recommended in this document.

 

I will continue to investigate, thank you for this document!

 

Cheers

 

Super Contributor II

Re: ClearPass GUEST with high latency cluster

I was able to overcome the guest latency issue by having the guest authentication sent back to the publisher.

Seems to work as a temporary fix until we address the real issue behind the latency.

 

So much more to learn!

Super Contributor II

Re: ClearPass GUEST with high latency cluster

I was wondering if someone might be able to help with how the Endpoints db works when in a cluster.

 

If an enforcement policy is writing attributes into the Endpoints db for a particular endpoint, where is that actually happening? Is that happening in the subscriber or in the publisher? If the radius request is being handled by a subscriber, does that mean the write is happening in the subscriber?

 

I am a little confused on that point.

Contributor I

Re: ClearPass GUEST with high latency cluster

Bump.. running into the same issue and ran across this. I have CPPM nodes at a remote site, but only ~20ms latency, and I'm still seeing this issue with Guest. The Webauth is performed on the publisher, which writes the endpoint details to the DB. The client is re-authenticated, but the details haven't made it back to the remote CPPM node yet, so guest auth fails to see the new endpoint attributes. What are other possible solutions for this? The only thing I can think of currently is to force all my Guest SSID RADIUS back to the publisher node, which is what it looks like the OP did. Any other thoughts? I have my CoA delay up as high as 7 seconds and it still isn't enough time.. What is an expected time for a publisher to sync endpoint details back to a subscriber? 

Guru Elite

Re: ClearPass GUEST with high latency cluster

This is a very old thread. Next time, please create a new one.

 

Which network device is in use here?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: ClearPass GUEST with high latency cluster

In my case, Cisco WLC with MAC auth and server-based CoA redirect.
Guru Elite

Re: ClearPass GUEST with high latency cluster

Why aren't you using client-initiated login?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: ClearPass GUEST with high latency cluster

I need both wired and wireless redirects, tried to keep both with similar setups, and I also need more dynamic url redirects to different guest pages based on several different use cases.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: